Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

Patch bypass allows hackers to exploit prior flaw in SonicWall SSL-VPN

Researchers said a wave of attacks began in February targeting firewalls that appeared to be protected.

Published May 19, 2026
David Jones's headshot
Reporter
Digital code data numbers and secure lock icons on hacker's hands working with keyboard computer on dark blue tone background.
Getty Images

A threat group has successfully been exploiting a two-year-old vulnerability in SonicWall SSL-VPN appliances since February, despite the flaw being patched, according to a report released Tuesday by cybersecurity firm Reliaquest. 

The authentication bypass vulnerability, tracked as CVE-2024-12802, allows an attacker to bypass multifactor authentication (MFA) in SonicWall SSL-VPN appliances. 

Starting in February 2026, attackers were able to engage in brute force attacks using automated tools, which bypassed MFA without setting off any red flags or login alerts, according to Reliaquest researchers. 

After encountering the same pattern across multiple incident response scenarios, Reliaquest began investigating the activity. 

“Across those cases, all between February and March 2026, we saw the same pattern: VPN accounts brute-forced at speed, MFA appearing enabled but not stopping authentication, and a specific session type in the logs pointing to automated tooling,” Reliaquest researchers told Cybersecurity Dive. 

Researchers could not provide direct attribution for the attacks, but the threat activity was consistent with ransomware activity from the Akira group. That group was linked to a series of attacks targeting SonicWall customers in 2025.

SonicWall issued an advisory and a firmware upgrade in 2025, but Reliaquest warned that there are six additional manual steps required to make sure Gen6 devices are secure. The patches are working normally in Gen7 devices, researchers said. 

The attacks are accomplished by exploiting the separate handling of User Principal Name and Security Account Manager account names when integrated with Microsoft Active Directory. The firmware update by itself fails to remove the Lightweight Directory Access Protocol configuration, which enables the bypass. 

Researchers said the flaw was given a severity score of only 6.5 by SonicWall, which may have led some organizations to not pay close attention. CISA’s Authorized Data Publisher assessment rates the vulnerability as a 9.1, which is considered critical. 

In a more recent development, Gen6 appliances reached end-of-life status on April 16, which means SonicWall no longer supports them. 

A spokesperson for SonicWall was not immediately available for comment. 

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Teqtivity Report: How the Ghost Asset Crisis Becomes a Breach Risk
From Teqtivity
May 05, 2026
Teqtivity logo
Former Okta President of Auth0, Shiven Ramji, to Join Cellebrite as President, Products and Te…
From Cellebrite
May 01, 2026
360 Privacy Expands Executive Team to Grow Digital Exposure Reduction
From 360 Privacy
April 29, 2026
360 Privacy logo
The Pitstop Releases “The AI Agent Liability Gap” White Paper on Security, Insurance, and Acco…
From thepitstop.ai
April 29, 2026
thepitstop.ai logo
Editors' picks
Latest in Vulnerability
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell